-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FIX] Custom Oauth store refresh and id tokens with expiresIn #14121
Conversation
@geekgonecrazy do you mind reviewing this |
Nice! I’m not sure however... if the refresh is ever even used? |
The ci/circleci test failures have nothing to do with this pull-request:
|
@geekgonecrazy You mean if Rocket.Chat/Meteor uses refreshTokens, or that it need to be set in a different way? I'm setting it now, like the Google provider sets it. Ralf |
No I mean. Now we have it.. cool! but where or how is the refresh token actually used by Rocket.Chat? |
The accessToken is registered with it's expiration. If we got an refreshToken, we can use that to get a new accessToken, after it's expired, without "bugging" the user again. Ralf |
Just a heads up by adding the registerAccessToken as part of this you have overlap with: #14113 opened just a bit before yours. |
…t the accessToken lifetime
I rebased this pull request in my repo on top of @knrt10 one: https://github.com/EGroupware/Rocket.Chat/commit/7aba9cad805d376aaef2c7a7e6901bc742df00ad I searched through Rocket.Chat codebase for usage of expiresAt or refreshToken: I'm pretty sure they are NOT used at all :( I think when Rocket.Chat receives an accessToken, eg. through custom OAuth, it's ok to verify it's currently valid by using the identity endpoint with the accessToken as Authorization: Bearer. When the next Api request with the same token arrives, you can either: Other use case is the Rocket.Chat client and I believe that's what #13693 is talking about: after the initial OAuth authentication by the user, Rocket.Chat should not assume the user is authenticated for ever, but only for the lifetime of the token. If the token is expired, Rocket.Chat either needs to bug the user again for an other OAuth authentication, or try to automatically get a new accessToken through the refreshToken (from the server-side), which might fail in case the user revoked the refreshToken in the meantime because he eg. lost the device. I think that's were Rocket.Chat has a problem: there is no way to cut off access by a lost client-device, in case an external OAuth server is used. Ralf |
Seems you are at the same conclusion I reached. I still think this is great to have added. But yes we may need to follow up with a pull request to tie rocket.chat token life time to oauth life time. But I have a feeling that will not be an easy task to track down |
Sorry some of these suggestions are only needed because of the conflict merging. 😊 |
Co-Authored-By: ralfbecker <rb@egroupware.org>
Co-Authored-By: ralfbecker <rb@egroupware.org>
Co-Authored-By: ralfbecker <rb@egroupware.org>
is there any issue available thats tracks progress for "pull request to tie rocket.chat token life time to oauth life time" |
Closes #13693